This method allows me to impersonate any domain including Facebook domains. Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook. Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.